1 Introduction and Roadmap

Document Scope

This document provides security vendors and application developers with the information needed to develop new security providers for use with WebLogic Server.

Documentation Audience

This document is written for independent software vendors (ISVs) who want to write their own security providers for use with WebLogic Server. It is assumed that most ISVs reading this documentation are sophisticated application developers who have a solid understanding of security concepts, and that no basic security concepts require explanation. It is also assumed that security vendors and application developers are familiar with WebLogic Server and with Java (including Java Management eXtensions (JMX)).

Guide to this Document

This document provides security vendors and application developers with the information needed to develop new security providers for use with the WebLogic Server.

Chapter 3, "Design Considerations" which explains the general architecture of a security provider and provides background information you should understand about implementing SSPIs and generating MBean types. This section also includes information about using optional management utilities and discusses how security providers interact with WebLogic resources. Lastly, this section suggests ways in which your custom security providers might work with databases that contain information security providers require.

Chapter 4, "Authentication Providers" which explains the authentication process (for simple logins) and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Authentication providers. This topic also includes a discussion about JAAS LoginModules.

Chapter 5, "Identity Assertion Providers" which explains the authentication process (for perimeter authentication using tokens) and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Identity Assertion providers.

Chapter 6, "Principal Validation Providers" which explains how Principal Validation providers assist Authentication providers by signing and verifying the authenticity of principals stored in a subject, and provides instructions about how to develop custom Principal Validation providers.

Chapter 7, "Authorization Providers" which explains the authorization process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Authorization providers.

Chapter 8, "Adjudication Providers" which explains the adjudication process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Adjudication providers.

Chapter 9, "Role Mapping Providers" which explains the role mapping process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Role Mapping providers.

Chapter 10, "Auditing Providers" which explains the auditing process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Auditing providers. This topic also includes information about how to audit from other types of security providers.

Chapter 11, "Credential Mapping Providers" which explains the credential mapping process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Credential Mapping providers.

Chapter 13, "Servlet Authentication Filters" which explains the Servlet authentication filter process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with Servlet authentication filters.

Chapter 14, "Versionable Application Providers" which explains the concept of versionable applications and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Versionable Application providers.

Chapter 15, "CertPath Providers" which explains the certificate lookup and validation process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom CertPath provider.

Related Information

The Oracle corporate Web site provides all documentation for WebLogic Server. Other WebLogic Server documents that may be of interest to security vendors and application developers working with security providers are: